Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
tinkeruntilitworks
Guest





PostPosted: Fri Apr 24, 2020 12:48    Post subject: Reply with quote
did you try creating the new unbound directory?
that way the root.hints would be up-to-date.
then add the directory and files to the unbound.conf
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
root-hints: "/jffs/unbound/root.hints"
auto-trust-anchor-file: "/jffs/unbound/root.key"


Last edited by tinkeruntilitworks on Tue Jun 23, 2020 16:29; edited 1 time in total
Sponsor
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7410
Location: YWG, Canada

PostPosted: Fri Apr 24, 2020 13:23    Post subject: Reply with quote
tinkeruntilitworks wrote:
tatsuya46 wrote:
this is my current conf for reference.. recursion, no dnssec. still trying to understand some things like target-fetch-policy, auth zone, and why root hints cant be changed etc.

Code:

server:
verbosity: 1
interface: 0.0.0.0
outgoing-num-tcp: 15
incoming-num-tcp: 15
msg-buffer-size: 65552
outgoing-range: 4096
num-queries-per-thread: 2048
so-rcvbuf: 5m
so-sndbuf: 5m
key-cache-size: 8m
neg-cache-size: 2m
msg-cache-size: 128m
rrset-cache-size: 256m
rrset-roundrobin: yes
cache-min-ttl: 3600
infra-host-ttl: 259200
infra-cache-numhosts: 100000
serve-expired: yes
username: ""
pidfile: "/var/run/unbound.pid"
root-hints: "/etc/unbound/named.cache"
auto-trust-anchor-file: ""
prefetch: yes
prefetch-key: yes
target-fetch-policy: "-1 -1 -1 -1 -1"
harden-short-bufsize: no
harden-large-queries: no
minimal-responses: no
so-reuseport: yes
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
port: 7053
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 10.150.10.0/24 allow
access-control: 0.0.0.0/0 refuse
local-data: "localhost A 127.0.0.1"
auth-zone:
name: "."
master: 199.7.91.13          # d.root-servers.net
master: 192.203.230.10       # e.root-servers.net
master: 192.5.5.241          # f.root-servers.net
master: 192.58.128.30        # j.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
python:
remote-control:


running on a x86 with 4gb ram so adjust accordingly for a weak arm router etc..


did you try creating the new unbound directory?
that way the root.hints would be up-to-date.
then add the directory and files to the unbound.conf
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
root-hints: "/jffs/unbound/root.hints"
auto-trust-anchor-file: "/jffs/unbound/root.key"


i dont understand chroot purpose, everytime i tried anything with it unbound always dont start. ill try it that way later.

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
[QUALCOMM] WNDR4300 v1 --------------------------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
tinkeruntilitworks
Guest





PostPosted: Fri Apr 24, 2020 13:38    Post subject: Reply with quote
i include the chroot setting because in the default settings it uses chroot to the temp directory where the default router conf is created

maybe
chroot: ""

would be better?
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7410
Location: YWG, Canada

PostPosted: Fri Apr 24, 2020 17:48    Post subject: Reply with quote
tinkeruntilitworks wrote:
i include the chroot setting because in the default settings it uses chroot to the temp directory where the default router conf is created

maybe
chroot: ""

would be better?


the first suggestion worked

chroot: "/jffs/etc"
directory: "/jffs/etc"
root-hints: "/jffs/etc/named.cache"
auto-trust-anchor-file: "/jffs/etc/root.key"


and it started.

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
[QUALCOMM] WNDR4300 v1 --------------------------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
tinkeruntilitworks
Guest





PostPosted: Fri Apr 24, 2020 21:33    Post subject: Reply with quote
..

Last edited by tinkeruntilitworks on Tue Jun 23, 2020 16:32; edited 1 time in total
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 39

PostPosted: Sun Apr 26, 2020 7:55    Post subject: Reply with quote
Still can't get unbound to work with the custom setting, I'm running DD-WRT v3.0-r42954 std (04/20/20) I know for sure that samba has a serious issue of dropouts, so this would not surprise me if unbound is having issue also. Here is the setting, I'll be dammed if I can get this to work but the default setting is not a problem.

server:
verbosity: 1
interface: 0.0.0.0@7053
interface: ::0@7053
outgoing-num-tcp: 10
incoming-num-tcp: 10
msg-buffer-size: 8192
msg-cache-size: 50m
num-queries-per-thread: 30
rrset-cache-size: 100m
infra-cache-numhosts: 200
username: ""
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/unbound/named.cache"
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
include: "/jffs/unbound/conf.d/*.conf"
target-fetch-policy: "2 1 0 0 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
auto-trust-anchor-file: "/jffs/unbound/root.key"
key-cache-size: 100k
neg-cache-size: 10k
num-threads: 2
so-rcvbuf: 1m
so-sndbuf: 1m
so-reuseport: yes
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
outgoing-range: 462
access-control: 127.0.0.0/8 allow
access-control: 10.10.10.0/24 allow
local-data: "localhost A 127.0.0.1"
python:
remote-control:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 209.222.18.218@853#Privateinternetaccess-dns.com
forward-addr: 209.222.18.222@853#Privateinternetaccess-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
tinkeruntilitworks
Guest





PostPosted: Sun Apr 26, 2020 11:44    Post subject: Reply with quote
unbound does dns over tls using tcp only. possibly the issue?

i'm not familiar with the private internet access dns or your include conf

hopefully someone that has mixed a vpn and unbound see this so they could help
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 39

PostPosted: Sun Apr 26, 2020 12:50    Post subject: Reply with quote
tinkeruntilitworks wrote:
unbound does dns over tls using tcp only. possibly the issue?

i'm not familiar with the private internet access dns or your include conf

hopefully someone that has mixed a vpn and unbound see this so they could help


Top question is incorrect since one can use UDP were as TCP will slow request down with regards to DNSSEC and as for PIA, this has no bearing when this is disable as there is no differences.
tinkeruntilitworks
Guest





PostPosted: Sun Apr 26, 2020 14:31    Post subject: Reply with quote
i stand by my comment of unbound doing dns over tls tcp only


i've found dnssec is sped up if you enable ipv6

*
just noticed you don't have the tls cert bundle setting in your unbound conf
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 39

PostPosted: Mon Apr 27, 2020 0:42    Post subject: Reply with quote
tinkeruntilitworks wrote:
i stand by my comment of unbound doing dns over tls tcp only


i've found dnssec is sped up if you enable ipv6

*
just noticed you don't have the tls cert bundle setting in your unbound conf
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"


When it comes to IPv6 and VPN services there is plenty of info with regards to this leaking protocol, still no go, did you disable the "Use DNSMasq for DNS"?
tinkeruntilitworks
Guest





PostPosted: Mon Apr 27, 2020 2:11    Post subject: Reply with quote
Redback813 wrote:
did you disable the "Use DNSMasq for DNS"?


no. i keep it enabled
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 39

PostPosted: Mon Apr 27, 2020 4:26    Post subject: Reply with quote
tinkeruntilitworks wrote:
Redback813 wrote:
did you disable the "Use DNSMasq for DNS"?


no. i keep it enabled


One question where did you put the finished unbound.conf file?
tinkeruntilitworks
Guest





PostPosted: Mon Apr 27, 2020 12:01    Post subject: Reply with quote
deleted incorrect info

Last edited by tinkeruntilitworks on Mon Apr 27, 2020 17:56; edited 1 time in total
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 24
Location: In your Heart

PostPosted: Mon Apr 27, 2020 17:21    Post subject: Reply with quote
..

Last edited by E900 on Thu May 07, 2020 18:55; edited 5 times in total
tinkeruntilitworks
Guest





PostPosted: Mon Apr 27, 2020 17:39    Post subject: Reply with quote
much appreciated
i'll make the adjustments
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 3 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum